Entries : Category [ Security ]
[OpenBSD]  [BSD]  [FreeBSD]  [Linux]  [Security]  [Python]  [Zope]  [Daily]  [e-shell]  [Hacks]  [PostgreSQL]  [OSX]  [Nintendo DS]  [enlightenment]  [Apache]  [Nintendo Wii]  [Django]  [Music]  [Plone]  [Varnish]  [Lugo]  [Sendmail]  [europython]  [Cherokee]  [self]  [Nature]  [Hiking]  [uwsgi]  [nginx]  [cycling]  [Networking]  [DNS] 

24 marzo

Firefox3 WTF!

or how I disagree with some things...

Some days ago I decided to try Firefox 3.0-beta4. At first I was impressed about it's performance, it is really fast tested against the latest version of the 2.0 branch.

Another big point in version 3 is that it doesn't seem to swallow RAM like the 2.0 version. Now I can use the browser even after leaving it opened 2 or more days (in OSx and in FreeBSD leaving Firefox opened from one day to another ends in a almost unusable browser cause it renders itself quite slow).

That's all pretty good, Firefox3, the next generation of a great browser... until I tried to connect to my own webmail service...

Then I realized that the Firefox developers decided to take an approach when dealing with self-signed web certificates very similar to that of the infame IE7.

When you try to access an https website that uses a self-signed cert, you will get something like that:

WTF! an error message when accesing https

WTF!, it is the same kind of message firefox shows when a given domain name does not resolv or when you can't connect to a no-response web server, THAT'S VERY CONFUSING FOR END USERS!.

Of course, you can add a security exception, for that, you only have to click on the link in that page I've showed you (o puede añadir una excepcion in spanish), then you will see something like:

Adding an exception

More ugly and scaring error messages, you click on add exception (añadir excepcion in spanish) to get to another window where you will see the URL you were trying to connect to:

and now you will have to get the cert and add it

There, you will have to push the get certificate button (obtener certificado) to get another error message:

after a lot of ugly errors, you could add your certificate

So, what? I'll tell you my point of view. Imagine you have a website where you offer a service to your customers. That website requires that your customers provide some login information to use the website, so you set up a secure web server certificate using OpenSSL in your web server. OK, your website is secure now.

Your customers are using the website using Opera or Firefox 2, the first time they connect to the website they got a message asking them about installing a security certificate, they took a look over the cert, pressed Ok, and they are done.

Now they upgrade their Firefox browser and try to use the same website... what will happen then? an ugly and scaring message about that website being not trustable and what is worse, a long 4-window process to be able to access that website, a process that could be difficult to follow for non-techie users.

So, Why do they have to change something that was working perfectly in earlier versions? I do not know, but I don't think that was a good idea (IMHO).

(well, I can think about a reason, the same reason some companies ask for 300$-500$ if you want to get a valid web server certificate).

Posted by wu at 23:32 | Comments (0) | Trackbacks (0)
31 marzo

Firefox3, ssl certs and nic.es

or may I say I already told you about that...

Some days ago I wrote some lines about the new version of the Firefox web browser and how it handles self-signed ssl certificates.

Now, I've a perfect example of that problem, nic.es, the .es domains registrar. If you try to access http://www.nic.es using Firefox3, you will see something like:

trying to access nic.es with firefox3

Posted by wu at 01:02 | Comments (0) | Trackbacks (0)
18 junio

Malware and cryptography

or how to bring them all on their knees!

Some time ago, I was a usual reader of security sites, mailing lists and public advisories. Sadly for me, I didn't have the time lately to keep reading about security.

Anyway, today I've found an interesting post in one of the blogs I usually read, the one from Ivan Krstić. In this post Ivan covers the use of cryptography in malware and viruses, pointing to a variant of Gpcode, called Gpcode.ak which, once a system is infected, encrypts every user file/document, leaving a note asking for some money if the user wants to get the files back. Impressive.

From Ivan's post:

it creates a unique 128-bit RC4 (Arcfour) key on each machine and uses a random initialization vector for each file it targets. The IV is written to the beginning of the file, encrypted by the per-machine key, run through MD5, and the output constitutes the per-file key, used to encrypt each file with RC4. At the end, the main per-machine RC4 key is encrypted with a 1024-bit RSA public key which the malware carries within its payload.

Seems this has been around for a while now, but it's the first time it catches my eye.

Of course, I agree with the idea that the problem behind this is not the fact that the malware/virus uses advanced cryptography, but the fact that people use insecure software and insecure operating systems (or broken ones, if you prefer).

Luckily for me, I'm not one of those.

Posted by wu at 14:15 | Comments (0) | Trackbacks (0)
05 abril

Why you should use NoScript

javascript is too powerful and buggy, and the internet is wilder than ever


NoScript is an extension for the Firefox web browser that, among tons of other things, prevents Javascript code from being executed in the browser when you load a page.

Sounds simple, right? Well, NoScript has a lot more features and options, feel free to install it and take a look at its documentation and features, it is really worth it.

But here I want to focus on that hability, to prevent javascript code from being executed in your browser. This can be a bit annoying at first, specially nowadays when every website or webapp is using tons of javascript code for the most simple things, from displaying nice gallery carousels to modify the behaviour of clicks you do on links or buttons, passing by performing additional load of contents from third-party sources. If you don't believe me, just try to load a website like the Washington Post not letting your browser to load any javascript from that domain. You won't see the pictures, for example.

In some other websites the experience is even worse, all you get is message asking you to enable javascript if you want to get the contents; or even worse, a blank page without any contents or indications of why the contents are not there.

That's why many people ask me why - "Why do you have this blocker, which makes websites unusable?" - they ask. Even if I can allow (permanently or temporary) those javascript codes to be executed, people usually find this very annoying.

Well, the answer is for security reasons. Exactly as when I do a network firewall setup, I prefer to go with a block by default, then allow what is needed policy in my browser. I think this is a very good idea, specially if you take in account things like this bugs here:



If you look a bit further down Internet Lane you will find a lot more examples of bugs that can be exploited by simple Javascript code that is automatically executed in your browser when you load a website, so be careful when surfing through the Interwebz!

Posted by wu at 10:33 | Comments (0) | Trackbacks (0)